More than three months after being informed about remotely exploitable vulnerabilities in 25 router models, Linksys is yet to issue patches to remedy them.
Researchers at IOActive Labs wrote that they had informed Linksys of 10 flaws on 17 January, six of which could be remotely exploited by unauthenticated people.
But as of last week, all that Linksys had done was to notify users through a public post and suggest workarounds until patched firmware was ready.
Given Linksys' inactivity, the IOActive Labs researchers said they were holding off on providing the full technical details of the flaws until patched firmware was ready for download.
{loadposition sam08}The IOActive Labs said they had found about 7000 vulnerable devices accessible on the Internet and provided a region-wise break-up.
In an advisory published last week, Linksys, formerly a division of Cisco and now owned by Belkin, claimed to have been "recently notified" of some vulnerabilities in its Linksys Smart Wi-Fi series of routers.
It said the following models were vulnerable:
WRT Series: WRT1200AC, WRT1900AC, WRT1900ACS and WRT3200ACM.
EAxxxx Series: EA2700, EA2750, EA3500, EA4500 v3, EA6100, EA6200, EA6300, EA6350 v2, EA6350 v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400 and EA9500.
Two of the issues identified by IOActive Labs allow unauthenticated people to stage a a denial of service attack on the router, by sending a few requests or abusing a specific API and making router unresponsive and prone to even reboot.
The Web admin interface of the device would then be inaccessible and users would be unable to connect until the DoS attack ceased.
The researchers said authentication protecting the CGI scripts could also be bypassed to collect the firmware version, Linux kernel version, a list of active processes, a list of connected USB devices, or the WPS pin for the Wi-Fi connection.
"Unauthenticated attackers could also harvest sensitive information, for instance using a set of APIs to list all connected devices and their respective operating systems, access the firewall configuration, read the FTP configuration settings, or extract the SMB server settings," they wrote.
A third way into the routers was by authenticated attackers injecting and executing commands on the router's operating system with root privileges.
"One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the Web admin interface and could not be removed using the admin account," they said.
But they added that they had been unable to find a way to bypass the authentication protecting the vulnerable API as this authentication was different from that protecting the CGI scripts.
Linksys advise users of the models listed to enable automatic updates, disable the Wi-Fi guest network if it was not in use and change the default password for the admin account.
"We will be releasing firmware updates for all affected devices. In order for your device to receive the update as soon as it is available, please make sure you have automatic updates enabled," the company wrote, without specifying how much longer it would take to provide these updates.
Graphic courtesy IOActive Labs.